The advanced and persistent actor, Lazarus – infamous for its growing financial motivations – has hit cryptocurrency businesses with new, Trojanised decentralised finance (DeFi) apps in order to increase profit. Lazarus abuses legitimate applications used to manage cryptocurrency wallets by distributing malware that provides control over victims’ systems.

The Lazarus group is one of the world’s most active APT actors, operating since at least 2009. Unlike most state-sponsored APT groups, Lazarus and other threat actors associated with this APT have made financial gain one of their primary goals. As the cryptocurrency market grows along with the non-fungible token (NFT) and decentralised finance (DeFi) markets, Lazarus continues to find new ways to target cryptocurrency users.

In December 2021, Kaspersky researchers uncovered a new malware campaign, using a Trojanised DeFi app delivered by the Lazarus group, against cryptocurrency business. The application contains a legitimate program called DeFi Wallet, which saves and manages cryptocurrency wallets. When executed, the app drops a malicious file alongside the installer for the legitimate application, launching the malware with a Trojanised installer path. This generated malware then overwrites the legitimate application with the Trojanised application.

The malware used in this infection scheme is a full-featured backdoor with the capability of controlling the victim’s systems remotely. Once in control of the system, the attacker can delete files, gather information, connect to specific IP addresses and communicate with the C2 server. Based on the history of Lazarus’s attacks, researchers assume the motivation behind this campaign is financial gain. After looking into the functionalities of this backdoor, Kaspersky researchers have discovered numerous overlaps with other tools used by the Lazarus group, namely, the CookieTime and the ThreatNeedle malware clusters. The multistage infection scheme is also heavily used in Lazarus’s infrastructure.

“We have observed Lazarus’s interest in the cryptocurrency industry for a while now and have seen that they have developed sophisticated methods for luring their victims in without drawing attention to the infection process. Cryptocurrency and blockchain-based industries continue to evolve and attract higher levels of investment. Therefore, they attract not only scammers and phishers, but also ‘big game hunters’, including financially motivated APT groups. With the cryptocurrency market growing, we strongly believe Lazarus’s interest in the industry will not diminish any time soon. In a recent campaign, Lazarus abused a legitimate DeFi app by mimicking it and dropping malware, which is a common tactic used in crypto-hunting. That is why we urge companies to remain vigilant about unknown links and email attachments, as they may well be fraudulent, even if they appear familiar and safe,” says Seongsu Park, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).